I started using CloudFlare’s free tier on this blog, before Let’s Encrypt burst onto the scene, mostly for their universal SSL. However, as joepie91 recently pointed out, this means that by design, CloudFlare has to decrypt all SSL traffic, and then re-encrypt it to send it to your original site with its self-signed or generic certificate (in my case). Apart from this, CloudFlare is a bit of overkill for this low-traffic site.

Because I don’t need much of an excuse to try out something new, I used this as my excuse to try out Let’s Encrypt, a fantastic new(ish) service which issues free 90 day certificates to anyone who can verify their domains.

I was shocked with how easy this was on the webfaction shared (non root) hosting I’ve been using for years, and so I had to share.

Step 1: Install acme.sh

At this junction, as they say, it’s best to log out and in again, so that the acme.sh alias and environment variable can be setup.

Step 2: Issue shiny new SSL certificate

We then get acme.sh to verify the website using the webroot method, and to request a certificate for the two domains cpbotha.net and www.cbbotha.net:

acme.sh --issue -d cpbotha.net -d www.cpbotha.net -w ~/webapps/wp

The argument following -w is the directory exposed by the website http://cpbotha.net/. Note that this is still http; Let’s Encrypt queries a special file left there by acme.sh to confirm that you actually manage the specified domain.

After a few seconds of progress output, I was left with a shiny certificate (as well as the CSR, key, and so forth) in ~/.acme.sh/cpbotha.net/

Step 3: Install shiny new SSL certificate

On Webfaction, one has to file a support ticket for this. My request was formulated thusly, and was correctly acted upon in about 5 minutes:

Could you please install the following SSL certificate for the website cpbotha_SSL – reachable at https://cpbotha.net/:

cert is in /home/cpbotha/.acme.sh/cpbotha.net/cpbotha.net.cer

key is in /home/cpbotha/.acme.sh/cpbotha.net/cpbotha.net.key

intermediate CA cert is in /home/cpbotha/.acme.sh/cpbotha.net/ca.cer

full chain certs is there: /home/cpbotha/.acme.sh/cpbotha.net/fullchain.cer

Thanks!

Update on 2016-10-25

It is now possible to install the new certs all by yourself using the webfaction panel or the API! Read the announcement blog post for more information.

Bonus level: In 90 – k days, simply re-run acme.sh

At any point, you can request certificates for any other domains that you may be hosting on your webfaction.

At regular intervals, or in slightly fewer than 90 days, simply run:

acme.sh --renewAll

To have acme.sh renew any of your certificates that are up for renewal. Just remember to create a new support ticket to have the renewed certificates installed for the relevant domains.

acme.sh cronjob

Unbeknownst to be (I should have read the docs) acme.sh had cleverly installed a user cronjob to check for renewals. When I attempted to renew two of my certs, I saw that it had already done so automatically, so I only had to install the updated versions.

Boss level: htaccess-based redirect from HTTP to HTTPS

Now that I have my SSL setup, I would prefer for users who go to the HTTP site to be 301 forwarded to the HTTPS version. On Webfaction, I can do that with the following addition to the site .htaccess file:

Thank you very much for stopping by, and thank you the most for making acme.sh!

On webfaction shared hosting we can’t use installcert, because we don’t have access to the apache or the nginx config (which webfaction uses as frontend). SSL certificate installation can only be done by webfaction admins, and hence has to be requested via support.

I’m not familiar with webfaction at all. But , if there is an api in webfaction, by which you can install cert to your web hosting, it will be good to use that api. and write it as a `reload.sh` script, then use `–installcert –reloadcmd “./reload.sh” `

When the cert is renewed, the cert can be installed automatically. Otherwise, you will need to manually installed it every 90 days. Which would be annoying.

On the other hand, to get rid of the 90 days annoying problem, you can use my another project:https://startapi.sh, which can issue free certificate from startcom, each cert has 1 year time.

Siteground allows installing letsencrypt from their Web backend. I tried it, was 2 simple button clicks, this explains why. In the end switched to their 1 year free ssl option on foxandflamingo.nl (for Lisette) just because I’m Dutch and I felt like I did pay for it somewhere (nothing is -just- free). Next year will definitely be LetsEncrypt again.

Any help? Or anybody willing to do this for me for a fee – I am trying to move away from shopify to wordpress, but getting an ssl up to use with woocommerce is proving to be a lot more difficult than i thought!

curl performs SSL certificate verification by default, using a “bundle” of Certificate Authority (CA) public keys (CA certs). The default bundle is named curl-ca-bundle.crt; you can specify an alternate file using the –cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you’d like to turn off curl’s verification of the certificate, use the -k (or –insecure) option.

Dear Charl, Great article. I found this here regarding RENEWAL: https://blog.rarepebble.com/https-on-webfaction/ He talks about an additional script to use the webfaction API. Could you help me to understand the additional steps I would need to take. Thank you very much!

It’s a neat Python script he posts that will replace the acme.sh cron job that runs to check for renewal. His replacement script runs acme.sh, and if there is a new certificate automatically installs it via the webfaction API.

However, this only happens for one specific site.

My advice would be to log a webfaction ticket to ask them if they have any mechanisms for the automatic installation of multiple certificates. If they don’t, you could try to modify (or get someone else to do so) the Python script to loop through all of your sites as acme.sh itself already does during renewal.

Webfaction’s support for Let’s Encrypt is messy and time consuming, which are why I’m seriously considering moving away from them. Instead of automating certs via the Webfaction CP to the point where we just have to click a new buttons, we’re spending lots of time maintaining cert deployment by hand. Also, the damn thing is so fragile too. Like how the cronjob doesn’t update the certs (discovered when Chrome puked up a cert warning and preventing users to reach the site).

If I can install WordPress with the click of a button, why can’t I do the same with certs? Why do I have to spend so much time on menial crap like this when I got real work to do.

Get the weekly email update!

About

This is my personal blog. You will find posts on science, software, general nerdery, privacy and backyard philosophy. It also hosts the Weekly Head Voices, a weekly (mostly not) personal diary, in which I usually also try to include something entertaining and/or educational.